risks

Article

Operational Resilience Disclosures by Banks:Analysis of Annual Reports

Martin Leo

The Department of Finance, S P Jain School of Global Management, 10 Hyderabad Road, Singapore 119579,Singapore; martin.dbaon01009@spjain.org

Received: 3 November 2020; Accepted: 23 November 2020; Published: 1 December 2020 �����������������

Abstract: An array of developments impacting the financial services industry, such as increasingcomplexity, interconnectedness, third party dependencies and digitalization, means operationalresilience will remain a significant area of concern for policy makers, investors and customers.The purpose of this study is to evaluate if banks are disclosing information on their operationalresilience risk. The study initially reviews the regulatory landscape for operational resiliency.The recent annual reports of the GSIB banks are reviewed to identify if they have made referencesto operational resilience. Through text mining, a frequency analysis of terms related to operationalresilience was done, followed by an evaluation to understand the existence of relationships betweenthese terms. The study shows that the regulatory guidance for operational resilience is still evolvingwith much of the current impetus on cybersecurity. There is a notable gap between banks that havereported on operational resiliency and those that have not, with a few patterns visible. Research inthe area of operational resilience is relatively new and limited, and this research for the first timeanalyses the disclosures related to operational resilience in annual reports. Further, for policymakers,it highlights the disparity in disclosures around this relatively new area of risk, thus calling foradditional regulatory guidance.

Keywords: operational resilience; operational risk; bank; GSIB

1. Introduction

The financial services sector as a whole is becoming more complex, with the larger firms providinga significantly large number of services to clients. The delivery of these services is supported by avery significant amount of operational infrastructure. There is also an increasing demand for digitalservices, with customers coming to rely more heavily on digital channels. Customer and marketparticipant expectations regarding the availability of financial services have dramatically changed with24 h access to services being the expectation. This has brought the resilience and availability of thedelivery channels into sharper focus as even a brief service disruption could cause significant concern(European Commission 2019).

Resilience is broadly defined as “the capacity of a system to avoid disturbance and reorganize whileundergoing change so as to still retain essentially the same function, structure, identity, and feedbacks”(Walker et al. 2004). It is a concept with a multidisciplinary pedigree that focuses on the dynamiccapacity of a complex, adaptive, nonlinear system to self-repair in response to stress or transition to anew stable equilibrium. The tendency of the globally integrated financial system to oscillate from onecrisis to another makes resiliency an essential concept for the financial system. This term has come tofeature prominently in regulatory and supervisory discourse and documents since the financial crisis(Dowell-Jones and Buckley 2016).

The Regulators are starting to closely supervise operational risks and resilience. Regulatorsexplained that “a resilient financial system is one that can absorb shocks rather than contribute to

Risks 2020, 8, 128; doi:10.3390/risks8040128 www.mdpi.com/journal/risks

Risks 2020, 8, 128 2 of 15

them”, and defined operational resilience as “the ability to prevent, adapt and respond to, and recoverand learn from, technology, cyber-related and any other operational incidents”. Operational resilienceis now considered a priority issue, both from a regulatory perspective and within the financial servicessector (European Commission 2019).

In 2019, the UK’s financial regulators, the Bank of England (BoE), Prudential Regulation Authority(PRA) and Financial Conduct Authority (FCA), published a series of consultation papers (CPs) ontheir proposed approach to operational resilience in the financial sector. The publication was on theback of much scrutiny around IT failures and breaches occurring in the financial sector. As stated inthe foreword of the discussion paper titled ‘Building the UK financial sector’s operational resilience,’operational disruption can “impact financial stability, threaten the viability of individual firms andFMIs or cause harm to consumers and other market participants in the financial system”.

The focus of post-financial crisis reforms has been on the resilience of the financial system to‘withstand, re-route and recombine in the wake of a potentially catastrophic event to maintain systemicoperability’ so that it can ‘withstand, recover and bounce back from crisis’. In November 2011,the FSB published an integrated set of policy measures to address the systemic and moral hazardrisks associated with systemically important financial institutions (SIFIs). In that publication, theFSB identified as global systemically important financial institutions (G-SIFIs) an initial group ofGlobal Systemically Important Banks (GSIB), using a methodology developed by the BCBS. The FSB,in consultation with the BCBS, issued the revised list of GSIBs in November 2019 (FSB 2019).

The 2018 list of GSIBs together held more than $50 trillion in assets accounting for more thanone-third of the global banking system’s total assets and loans. These institutions play an essential rolein international capital market services, international financial infrastructure and international lendingactivities. The collective dominance of these institutions makes them central to the provision of globalfinancial services and the stability of the global financial system (Caparusso et al. 2019).

BCBS’ operational risk principle 12 specifies that a bank’s public disclosures should allowstakeholders to assess its approach to operational risk management and its operational risk exposure.It further expects that the amount and type of disclosure should be commensurate with the size,risk profile and complexity of a bank’s operations, and evolving industry practice. Corporate disclosuredocuments, such as annual reports and SEC 10-Ks, are a prime source of information for shareholdersand markets. These documents are required to provide not only a backward-looking analysis ofyear-on-year profitability but also forward-looking information. The annual reports are importantchannels of shareholder communication, particularly about the company’s business strategy andsignificant risks. It is therefore expected that important messages around risks—including risks andstrategies related to operational resiliency—would be highlighted in these communications.

With the increasing attention on the topic of operational resilience, this paper studies whetherbanks, as part of annual reports, have made disclosures about operational resilience.

The research focused on the GSIBs and the risk disclosures made in their annual reports.Text analysis was conducted on the most recently available annual report of the GSIB to evaluate thefollowing research questions:

1. Is operational resilience, and its related terms mentioned in the annual report and the frequencythese terms are mentioned with

2. Is there any relation between the terms related to operational resilience3. Is there any relation between the terms related to operational resilience and the operational

expense of the bank

Section 2 of the paper includes a review of available literature and regulations on operationalresilience in the banking industry. Section 3 explains the method for the research. Section 4 providesan analysis with conclusions of the research captured in Section 5.

Risks 2020, 8, 128 3 of 15

2. Review of Literature and Regulations

Business models are becoming increasingly digitalized, complex and inter-connected. Technologyhas advanced a lot over the last many decades, and increasingly in recent times has created a deeplyinterconnected world. This is notably so in the financial system as no financial institution can surviveon its own, isolated from the complex web of financial market infrastructures it is a part of andunderpinning its day-to-day business (Lautenschläger 2018; KPMG 2019; Infosys Ltd. 2019).

Disasters, natural or man-made, can potentially cripple or impair an organization’s ability toachieve its many business objectives. Firms run the risk that the costs of mitigating and redressingdisruptive operational risk events may be compounded by the potential damage to reputation andcustomer confidence, resulting in loss of business. Organizations must be able to manage theseevents to be always available. Operational risk events such as cyberattacks, severe weather, healthpandemics and power outages drive organizations to develop sophisticated availability measures toensure uninterrupted business operations. This requires organizations to work with their internalbusiness units, supply chains and business partners. The organization, additionally, must work withexternal stakeholders also—customers, government bodies, investors and the media. Organizationsare required to implement a new paradigm of operational resilience to achieve a comprehensive andcontinuous level of availability. A firm’s enterprise resilience can be divided into strategic resilience,financial resilience and operational resilience. Through the elevation of operational resilience at parwith strategic and financial resilience, firms should be able to align the resiliency approach withthe strategic goals, thereby holistically anticipating and navigating operational and financial risks(Tapper 2013; KPMG 2019).

Operational resilience is usually defined as “the ability of an organization to adapt rapidlyto changing environments”. Table 1 provides a list of operational resilience definitions availablefrom various sources. There are a few commonalities between the various definitions available.Key attributes common in the definitions are—the ability of the firm to:

- Prevent the occurrence of a crisis event- Protect itself from an adverse event- Responding to and recovering from a crisis event- Sustain business services in the event of a disruption

Table 1. Definitions for operational resilience available from various sources.

Source/Origin Definition

Principles for operationalresilience (BCBS)

The ability of a bank to deliver critical operations through disruption. This ability enables a bankto identify and protect itself from threats and potential failures, respond and adapt to, as well asrecover and learn from disruptive events in order to minimize their impact on the delivery ofcritical operations through disruption.

Building the UK financial sector’soperational resilience

The ability of firms, financial market infrastructure (FMI) and the system as whole to prevent,adapt and respond to, recover and learn from operational disruption.

KPMG (2019)Operational resilience is usually defined as the ability of an organization to adapt rapidly tochanging environments. This includes resilience of systems and processes and more generally,the ability of the organization to continue to operate its business in the event of disruptive events.

Carnegie Mellon’s ResilienceManagement Model CERT-RMM

An emergent property of an organization that can continue to carry out its mission in thepresence of operational stress and disruption

(Bradenburg et al. 2019)Operational resilience is the ability of an organization to continue to provide business services inthe face of adverse operational events by anticipating, preventing, recovering from, andadapting to such events.

(Lebaka et al. 2016)Resilience can be defined as the ability of a system to prevent the occurrence of a crisis and thecapacity to absorb the impact and recover to the normal state rapidly and efficiently when acrisis does occur

(PWC 2019) An organization’s ability to protect and sustain the core business services that are key for itsclients, both during business as usual and when experiencing operational stress or disruption.

(Finextra and IBM 2016)The ability to rapidly adapt and respond to dynamic changes—opportunities, demands,disruptions, threats—with limited impact to the business, and with a scope that spans people,process and IT

Risks 2020, 8, 128 4 of 15

Operational resilience has become an essential agenda item for boards and senior management.Operational resilience—different from traditional business continuity (BC) and disaster recovery(DR)—focuses on the firm’s adaptability to emerging threats, dependencies for providing criticalbusiness services end-to-end, and the broader economic as well as firm-specific impact of adverseoperational events. Operational resilience includes both the resilience of systems and processesand in general, the ability of the organization to continue to operate its business in the event ofdisruptive events.

While operational resilience has been a critical topic within the financial services sector ever sincebanking began, the emergence of digitalization, an increase in the complexity of financial instrumentsand the expansion of regulations has brought this topic increasingly to the fore. Contributing to theserisks is the increasing complexity in the delivery of financial services resultant from the proliferation ofinnovative products and services. This is concurrent with the existence of legacy IT systems that may notbe eliminated as more layers are added on to the technology stack, and these may not all be compatibleand adaptable. Change management control procedures could potentially also not be appropriatefor an environment that is dynamically transforming, making it more difficult for banks to manageand control operational risk. New concerns related to privacy, customer protection, cybercrime andinterconnectedness of the financial systems have led regulators to be increasingly concerned in ensuringthat all the participants in the financial services ecosystem are operationally resilient. The likelihoodof disruptions has increased with the increasing complexity in operational processes, technology,dependence on third parties (through outsourcing or fintech partnerships), interconnectedness anddata sharing within the economy, and sophistication of malicious actors. The impact of these eventshas also become more severe. The increase in the technological interdependencies among marketplayers and infrastructures could cause an IT risk event to rapidly escalate into a systemic crisis,especially where there is a concentration of services with one or a few dominant players. These factorsthat are all in play simultaneously could make it more difficult for banks to manage operational risk(Infosys Ltd. 2019; Bradenburg et al. 2019; Hernández 2019; Finextra and IBM 2016).

The importance of operational resilience in the financial industry is greater now than ever,driven by client expectations of 24/7 ‘always on’ service and regulatory regimes that are less tolerantof operational failures. It is an essential underpinning for the achievement of business goals andensuring that the confidence and trust of the customer and regulator can be satisfactorily retained.Market-leading operational resilience could enable banks to turn the areas most impacted by operationalresilience failures into areas for positive differentiation. Resources and attention for resilience competewith similar demands from other business priorities. With retail and commercial banks under threatfrom disruption and digitally-driven new entrants, the money and focus required to meet operationalresilience expectations will be a challenge.

Many firms are embarking or expected to embark on transformational programs to strengthentheir resilience to disruption. The strengthening is expected to be across all operational resiliencedomains—technology, data, third parties, facilities, operations and people. The business benefits areexpected to form an inherent part of a firm’s proposition, going beyond pure risk and compliance.Operational resilience can enable a firm to achieve a positive outcome to the firms’ financial performanceand reputation through different sources—(1) avoiding unexpected financial losses from adverseevents (2) the ability to serve the client continuously and seamlessly resulting in increased revenues (3)increased revenues (profits) translating to increasing stakeholders’ and investors’ confidence and theresultant gains (4) ability to avoid potential regulatory fees and losses (PWC 2019).

Carstens (2017) highlights the rapid technological change in financial services as one of thethree risks to financial stability from the current perspective. Vigilance is required on the part of thesupervisors and regulators for the protection of the depositors and investors. The central role of thefinancial services industry in society and the wide-ranging impact of a disruptive event has resultedin regulators across the globe increasing their scrutiny of firms’ ability to adapt to and recover fromoperational disruptions. The G20 Finance Ministers and Central Bank Governors noted that “the

Risks 2020, 8, 128 5 of 15

malicious use of information and communication technologies (ICT) could disrupt financial servicescrucial to both national and international financial systems, undermine security and confidence,and endanger financial stability” (Basel Committee on Banking Supervision 2018).

Operational resilience has always been an important area of focus for financial institutions andtheir regulators/supervisors. However, this focus has been limited to a narrow set of risks—IT securityand outsourcing. The recent and emerging approach of regulators, in particular the UK regulators, isto take a broader view of operational resilience, covering all risks that could impact the provision ofkey business services. The range and depth of regulatory requirements are varying across the differentregulatory jurisdictions. The focus is increasingly on the response and recovery to an operationaldisruption and ensuring that the continuity of business services can be preserved in the event ofa disruption occurring. This is a fundamental shift towards ‘operational resilience’ and will haveimplications for financial institutions globally.

Financial regulators have started to lay out expectations around the management of resilience.The Basel Committee on Banking Supervision (BCBS) introduced its Principles for the SoundManagement of Operational Risk in 2003 subsequently revising them in 2011 to incorporate thelessons from the financial crisis. In 2014, the Committee conducted a review of the implementation ofthe Principles. In August 2020 the BCBS issued a consultative document ‘Revisions to the principlesfor the sound management of operational risk’. Recognizing that the 2011 principles did not cater torisks arising from information and communication technology, a new and specific principle has beenintroduced in the 2020 version.

The 2011 version has a section on business resiliency and continuity which is revised to justBusiness Continuity Planning in the 2020 consultative paper. The consultation paper includes a sectionon Information and Communication Technology (Principle 10). This principle requires that “Banksshould implement robust ICT governance that is consistent with their risk appetite and tolerancestatement for operational risk and ensures that their ICT fully supports and facilitates their operations.”By having a principle specific to ICT, its significance in the context of operational risk is recognized.However, the principle remains tilted more towards the more legacy business continuity managementand information security controls as opposed to setting a more ambitious direction for operationalresilience. It also does not appear that the risks of newer technologies (e.g., robotics, distributed ledgertechnology) have been considered.

The BCBS, in August 2020, issued a consultative document titled “Principles for OperationalResilience” citing the need for further work in strengthening a bank’s ability to absorb operationalrisk-related events which could cause significant operational failures or wide-scale disruptions infinancial markets. The BCBS believes that operational risk-related events such as pandemics, cyberincidents, technology failures or natural disasters could cause significant operational failures orwide-scale disruptions in financial markets. There is, therefore, the need to strengthen the banks’ abilityto absorb these risk events increasing their resilience and thereby provide additional safeguards to thefinancial system. The BCBS seeks to promote a principles-based approach to improving operationalresilience through the publication of the consultative document.

The document builds on the Committee’s updated principles for the Sound Managementof Operational Risk, previously issued governance principles, as well as outsourcing, businesscontinuity and relevant risk management related guidance. The document acknowledges thatthe most predominant operational risks banks face are from vulnerabilities related to the rapidadoption and dependency on technology infrastructure for the provision of financial services andintermediation. The sector’s growing reliance on technology-based services provided by third partiesis also acknowledged as a predominant contributor to operational risks.

The focus of the document appears to be more on business continuity, outsourcing though there isa principle related to ensuring ‘resilient ICT, including cybersecurity’. There are principles related to‘Mapping interconnections and interdependencies’ and ‘Third-party dependency management’ that arenot in the earlier principles document. The consultative document does not take a creative and revised

Risks 2020, 8, 128 6 of 15

approach to deliver a more forward-looking and comprehensive set of principles for banks to adopt inthe relatively new area of operational resilience. This is, to an extent, acknowledged in the documentas it mentions that the principles are ‘largely derived and adapted from existing guidance’. Given thechanging technology landscape and the increasing digitalization of financial services and emergingtechnologies, there should have been more effort in providing a refreshed set of principles as opposedto solely adopting the existing guidance. Even in the area of cybersecurity, or what should have beenaddressed as cyber resilience, the principle falls short. The extensive text around remote-access makesit appear that this has been influenced by the COVID-19 situation where large numbers of employeesand contingent workers are operating from home through remote access. A principles documentshould be addressing a more expansive slate of past, present and emerging risks.

The European Commission (EC) issued a consultative document on digital operational resiliencein the area of financial services in December 2019. The document focuses on strengthening thedigital operational resilience of the financial sector, in particular as regards the aspects related toICT and security risk. The EC has noted the need for a dedicated approach to enhance whatcan be referred to as the digital operational resilience of financial institutions in the context of theincrease in outsourcing arrangements and third-party dependencies (e.g., through cloud adoption)(European Commission 2019).

The European Central Bank (ECB) has issued ‘Cyber resilience oversight expectations for financialmarket infrastructures’ defining the Eurosystem’s expectations in terms of cyber resilience based onglobal standards.

Recognizing that operational disruption can impact financial stability and potentially impactfirms, market infrastructure or consumers the Prudential Regulatory Authority (PRA), the FinancialConduct Authority (FCA) and the Bank of England jointly issued a discussion paper titled “Buildingthe UK financial sector’s operational resilience”. The paper lays out an expansive approach addressinghow the continuity of the services that firms provide can be maintained regardless of the cause of thedisruption. Operational disruptions to the products and services that firms and FMIs provide cannegatively impact consumers, market participants, threatening the viability of firms or the marketinfrastructure, potentially impacting the stability of the financial system.

Operational resilience of firms and the financial market infrastructure is a priority for thesupervisory authorities and is being viewed as no less important than financial resilience. The discussionpaper is among the most comprehensive regulatory publications documents around the topic ofoperational resilience. Operational resilience is more effectively managed by focusing on businessservices and therefore, central to the document is the firm’s understanding of business services and theprioritization of these services. The risk and control areas the paper addresses are around cyber risks,business continuity and contingency planning, outsourcing and critical service providers.

The Office of the Superintendent of Financial Institutions (OSFI) Canada, an independent federalgovernment agency, issued a discussion paper titled ‘Developing Financial Sector Resilience in aDigital World’ in September 2020. The paper touches on several technology-related themes, includingthe priority risk areas of—(a) cybersecurity (b) advanced analytics (c) third party ecosystem (d)digital data. The OSFI has observed that the increasing number of incidents, shifts in the severityof the risk and emerging risks require a better understanding among institutions and regulators.Technology and its risks weigh heavily in the discussion paper with the OSFI also seeking to hear, fromrespondents, the prevailing view regarding the relationship between operational resilience, operationalrisk management and technology risks.

The global financial sector continues to transform through rapid technological advancementand digitalization. Financial institutions, markets and infrastructures are more tightly-linked thanbefore, and there is high interdependence on the resiliency of the sector’s players and their processes.The forces, namely innovative financial technologies, that are shaping the change in the businessmodels and risk profiles, while known, are generating new non-financial risks and amplifying risks in

Risks 2020, 8, 128 7 of 15

the traditional areas. Technology is a crucial enabler for the industry; its widespread use poses risksacross the business.

Operational resilience is not entirely a novel concept. ORM requirements include expectationsthat financial institutions can withstand, recover and maintain continuity of critical operations througha disruption. However, traditional ORM practices tend to be more process-oriented with businesscontinuity management practices, a sub-category of operational risk, not broad enough to capture allthe nuances required. Operational resilience is expected to take a more outcomes-based approach toa given adverse event and is based on the premise that disruptions will occur (Canada Office of theSuperintendent of Financial Institutions 2020).

The Hong Kong Monetary Authority (HKMA) has issued a framework, the CybersecurityFortification Initiative (CFI), to enhance the cyber resilience of regulated institutions. The frameworkis built around through three elements (a) Cyber Resilience Assessment Framework (b) ProfessionalDevelopment Programme (c) Cyber Intelligence Sharing Platform.

Reserve Bank of New Zealand, in October 2020, issued a consultation document “Guidanceon Cyber Resilience”. The guidance draws on leading cybersecurity standards and guidelines.The guidance recommends principles for cybersecurity governance, cybersecurity capabilities,information sharing and third-party risk management.

3. Method

This research focussed on the GSIBs. These are large, complex, internationally active banks whosefailure could create cross-border spillover risks. Table 2 lists the GSIBs per the FSB (2019).

The primary source of data for this research is the annual reports of the banks. For the research,the most recent annual report available on the website of the GSIB was downloaded. The annual reportwas downloaded in pdf format.

Based on the literature reviewed, a list of terms related to resilience were determined. These termswere then grouped to have similar terms classified together. As an example, terms related to technologysuch as ‘data’, ‘automation’, ‘digital’ and ‘technology’ were grouped under ‘technology’. For bettersearch results, for some of these search terms a manual stemming approach was taken. The search termwas determined as ‘automat’ to capture all variations such as ‘automation’, ‘automated’. The searchterms and the group they were put in can be found in Table 3. Through text mining, the frequency ofthe words in each annual report was determined. Frequencies related to the search terms were thensummed to arrive at the frequency of terms for the group. The operating expense was manually readfrom the annual report and added to the data set for further analysis.

It was noted that the term ‘operational resilience’ or ‘operational resiliency’ were not explicitlymentioned; therefore an additional analysis was done to extract the text around the word “resilien”(to capture all variants such as ‘resilience’, ‘resiliency’). This text was manually analysed to narrowdown to operational resilience references only excluding references to financial resiliency. This wasused as the count of the term ‘operational resilience’ for each bank. The approach ensured a bettercount of the term instead of just mining the frequency of the word resiliency or resilient. The textextracted, only related to operational resilience, was then processed to plot a word cloud to visualizethe word associations.

The data of the terms and their frequency was analysed to determine:

1. Frequency of the terms2. Correlation between the terms3. Correlation between the operating expense of the bank and the terms4. Analysis of the terms in reference to the region of the bank5. Terms most associated with the text that mentions resilience

Packages in R were used for the text mining and analysis. The functions available in the packagepdfsearch were primarily used to mine for the keywords within the pdf files. Functions in the packages

Risks 2020, 8, 128 8 of 15

tm have been used to prepare the data for plotting the word cloud, followed by functions in the packagewordcloud for plotting. For charting the data functions in the packages PerformanceAnalytics, ggplot2,scatterplot3d have been used.

Table 2. List of G-SIBs (Source: FSB 2019).

G-SIBs (in Alphabetical Order)

Agricultural Bank of China

Bank of America

Bank of China

Bank of New York Mellon

Barclays

BNP Paribas

China Construction Bank

Citigroup

Credit Suisse

Deutsche Bank

Goldman Sachs

Groupe BPCE

Groupe Crédit Agricole

HSBC

Industrial and Commercial Bank of China

ING Bank

JP Morgan Chase

Mitsubishi UFJ FG

Mizuho FG

Morgan Stanley

Royal Bank of Canada

Santander

Société Générale

Standard Chartered

State Street

Sumitomo Mitsui FG

Toronto Dominion

UBS

UniCredit

Wells Fargo

Risks 2020, 8, 128 9 of 15

Table 3. List of terms mined for from the annual reports and the resilience term that they are grouped as.

Search Terms Resilience Term

data

technology

automat

digital

technolog

technology

operationoperation

process

bcp

bcpbusiness continuity

disaster recovery

drp

cyber-security

security

cyber

cybersecurity

data security

information security

It security

resilien

resilienceIt resilien

operational resilien

system resilien

outsourc

outsourcingthird-party

third party

cloud -

pandemic -

system failure -

4. Analysis

4.1. Occurrence of the Terms

Table 4 shows the descriptive statistics for the various terms, related to resilience, that were minedfrom the annual reports.

All the banks have made extensive mentions of technology and operation in their annual reportswith the relevant terms being mentioned on average 146 times for technology and 273 for operations.While all the banks have made extensive mentions of technology and operation, only 16 (62%) of themmade specific mention of operational resilience in their annual reports. The term was mentioned onaverage at least seven times with the outlier being one bank that mentioned the term nearly 81 times intheir annual report. While the extensive mention of the term ‘technology’ across all banks is reflectiveof the trend towards digitalization at banks, it appears that operational resilience has not universallybeen considered a risk despite the growing attention from regulators.

The banks that have mentioned operational resilience have done so in reference to the areasclosely related with the analysis showing that of the 16 banks that mentioned operational resilience 5

Risks 2020, 8, 128 10 of 15

of them were in the context of outsourcing, 12 in the context of information technology, 7 in the contextof business continuity planning and 12 in the context of security. It does show that outsourcing andbusiness continuity planning are not adequately mentioned in the context of operational resiliencethough they are essential components of operational resiliency as per the regulatory publications.

Table 4. Descriptive statistics for the terms studied from the annual reports of the GSIBs.

Size(n) Average Minimum Median Maximum Standard

Deviation

Number of Banks thatHave Mentioned theTerm at Least 1 Time

% of BanksMentioning the Term

technology 26 145.77 32 138 300 59.61 26 100%

operation 26 273.46 24 227 808 169.44 26 100%

bcp 26 2.88 0 3 9 2.44 21 81%

security 26 15.42 0 11 45 13.35 25 96%

resilience 26 7.77 0 1 81 16.82 16 62%

outsourcing 26 21.38 0 22 51 15.77 25 96%

cloud 26 2.92 0 2 17 3.57 19 73%

pandemic 26 4.08 0 1 32 6.84 15 58%

Nearly 96% of the banks mentioned security, with the term being mentioned on average at least15 times in the annual report. This is in line with the heightened attention around cyber securitythreats and increased activity of malicious actors. Outsourcing was another term reported by 96% ofthe banks with the term being mentioned nearly 22 times on average. This is reflective of the trendtowards outsourcing and engagement of third parties. Banks appear to be treating both as significanttopics with outsourcing appearing to be the more significant one. Business continuity planning termswere found in the reports of 21 banks (81%) with the term being mentioned approximately threetimes. Though outsourcing as a term was mentioned by 96% of the banks, indicating the extent ofcommunication around the topic, in the context of operational resilience, only 5 of 16 banks mentionedoutsourcing. Security, however, was mentioned in the context of operational resilience by 12 of the 16banks. This may indicate that while security is viewed as core to operational resilience by most banks,outsourcing is possibly still not viewed as a significant risk contributor to operational resilience.

Thirteen banks (50%) had mentioned all the terms in their annual reports, namely operationalresilience, security, outsourcing and business continuity. These banks have provided comprehensivecoverage of reporting by covering all the areas related to operational resilience.

While not directly related to resilience, terms related to cloud were analysed in the context ofoutsourcing, and increasing usage of cloud services. Cloud was found mentioned in at least 19 ofthe annual reports with the term appearing three times on average. This indicates the adoption ofemerging technologies such as cloud services by banks with widespread implications for operationalresilience that could be researched further.

In light of the current situation of the Coronavirus pandemic (COVID-19) the frequency of theterm pandemic was also analysed, and it was found that nearly 15 banks had made a mention of it.This term was mentioned on average four times with one bank mentioning it nearly 32 times. Of thefour banks that had mentioned pandemic more than 10 times in the recent annual report, only one hadalso mentioned it last year. A review of the previous year’s annual report for the other three banksshowed no mention of pandemic. The timing of the report issuance may have had an influence on themention of pandemic.

Figure 1 shows the banks, by region, that have reported on operational resilience in their annualreports. 100% of the UK banks in the analysis have mentioned operational resilience. On the otherextreme, none of the Asian banks analysed had a mention of operational resilience. 75% of the Europeanbanks and 88% of the North American banks studied mentioned operational resilience. This can beexplained by the limited regulatory guidance issued in the jurisdictions of these Asian GSIBs.

Risks 2020, 8, 128 11 of 15

Risks 2020, 8, x FOR PEER REVIEW 11 of 16

Nearly 96% of the banks mentioned security, with the term being mentioned on average at least 15 times in the annual report. This is in line with the heightened attention around cyber security threats and increased activity of malicious actors. Outsourcing was another term reported by 96% of the banks with the term being mentioned nearly 22 times on average. This is reflective of the trend towards outsourcing and engagement of third parties. Banks appear to be treating both as significant topics with outsourcing appearing to be the more significant one. Business continuity planning terms were found in the reports of 21 banks (81%) with the term being mentioned approximately three times. Though outsourcing as a term was mentioned by 96% of the banks, indicating the extent of communication around the topic, in the context of operational resilience, only 5 of 16 banks mentioned outsourcing. Security, however, was mentioned in the context of operational resilience by 12 of the 16 banks. This may indicate that while security is viewed as core to operational resilience by most banks, outsourcing is possibly still not viewed as a significant risk contributor to operational resilience.

Thirteen banks (50%) had mentioned all the terms in their annual reports, namely operational resilience, security, outsourcing and business continuity. These banks have provided comprehensive coverage of reporting by covering all the areas related to operational resilience.

While not directly related to resilience, terms related to cloud were analysed in the context of outsourcing, and increasing usage of cloud services. Cloud was found mentioned in at least 19 of the annual reports with the term appearing three times on average. This indicates the adoption of emerging technologies such as cloud services by banks with widespread implications for operational resilience that could be researched further.

In light of the current situation of the Coronavirus pandemic (COVID-19) the frequency of the term pandemic was also analysed, and it was found that nearly 15 banks had made a mention of it. This term was mentioned on average four times with one bank mentioning it nearly 32 times. Of the four banks that had mentioned pandemic more than 10 times in the recent annual report, only one had also mentioned it last year. A review of the previous year’s annual report for the other three banks showed no mention of pandemic. The timing of the report issuance may have had an influence on the mention of pandemic.

Figure 1 shows the banks, by region, that have reported on operational resilience in their annual reports. 100% of the UK banks in the analysis have mentioned operational resilience. On the other extreme, none of the Asian banks analysed had a mention of operational resilience. 75% of the European banks and 88% of the North American banks studied mentioned operational resilience. This can be explained by the limited regulatory guidance issued in the jurisdictions of these Asian GSIBs.

Figure 2 plots the frequency of the occurrence of the term resilience against the frequency of technology and operation as it appears in the annual reports. As seen in Figure 2, the UK banks also have a higher frequency of reference to operational resilience. This can be explained by the more advanced regulatory guidance available in the UK.

Figure 1. For each region, the percentage of banks (shown as ‘Y’) that have mentioned operational resilience in the annual report.

Figure 1. For each region, the percentage of banks (shown as ‘Y’) that have mentioned operationalresilience in the annual report.

Figure 2 plots the frequency of the occurrence of the term resilience against the frequency oftechnology and operation as it appears in the annual reports. As seen in Figure 2, the UK banks alsohave a higher frequency of reference to operational resilience. This can be explained by the moreadvanced regulatory guidance available in the UK.Risks 2020, 8, x FOR PEER REVIEW 12 of 16

Operational Resilience

Figure 2. Occurrence of the term resilience (operation resilience) plotted against the frequency of technology and operation as found in the annual reports.

4.2. Distribution of resilience terms by region

Figure 3 shows a distribution of the various terms related to resilience—outsourcing, business continuity, security—by the region of the bank. The disparity in the mention of the three topics is quite evident in the chart, with some banks standing out versus the others. The UK banks are positioned in the centre, with balanced coverage of all three topics. The Asian banks have the lowest numbers amongst the regions with very low counts for the three areas, with business continuity showing comparatively better numbers. The North American banks have better coverage of security and business continuity in comparison to outsourcing. The European banks also have lower numbers in the three areas.

Figure 2. Occurrence of the term resilience (operation resilience) plotted against the frequency oftechnology and operation as found in the annual reports.

4.2. Distribution of Resilience Terms by Region

Figure 3 shows a distribution of the various terms related to resilience—outsourcing, businesscontinuity, security—by the region of the bank. The disparity in the mention of the three topics is quiteevident in the chart, with some banks standing out versus the others. The UK banks are positionedin the centre, with balanced coverage of all three topics. The Asian banks have the lowest numbersamongst the regions with very low counts for the three areas, with business continuity showingcomparatively better numbers. The North American banks have better coverage of security andbusiness continuity in comparison to outsourcing. The European banks also have lower numbers inthe three areas.

Risks 2020, 8, 128 12 of 15

Risks 2020, 8, x FOR PEER REVIEW 12 of 16

Operational Resilience

Figure 2. Occurrence of the term resilience (operation resilience) plotted against the frequency of technology and operation as found in the annual reports.

4.2. Distribution of resilience terms by region

Figure 3 shows a distribution of the various terms related to resilience—outsourcing, business continuity, security—by the region of the bank. The disparity in the mention of the three topics is quite evident in the chart, with some banks standing out versus the others. The UK banks are positioned in the centre, with balanced coverage of all three topics. The Asian banks have the lowest numbers amongst the regions with very low counts for the three areas, with business continuity showing comparatively better numbers. The North American banks have better coverage of security and business continuity in comparison to outsourcing. The European banks also have lower numbers in the three areas.

Figure 3. Distribution of resiliency terms by region of the GSIB.

4.3. Relationship between the Terms

Figure 4 is the correlation chart for the different terms, frequencies of which were mined from theannual reports of the GSIB. In the correlation chart below

(a) the distribution of each variable is shown on the diagonal(b) the bivariate scatter plots with a fitted line are displayed on the bottom of the diagonal(c) the value of the correlation plus the significance level as stars is shown on the top of the diagonal

(d) each significance level is associated to a symbol: p-values (0, 0.001, 0.01, 0.05, 0.1, 1) <=>

symbols(***, **, *, .).

Risks 2020, 8, x FOR PEER REVIEW 13 of 16

Figure 3. Distribution of resiliency terms by region of the GSIB.

4.3. Relationship between the terms

Figure 4 is the correlation chart for the different terms, frequencies of which were mined from the annual reports of the GSIB. In the correlation chart below

(a) the distribution of each variable is shown on the diagonal (b) the bivariate scatter plots with a fitted line are displayed on the bottom of the diagonal (c) the value of the correlation plus the significance level as stars is shown on the top of the

diagonal (d) each significance level is associated to a symbol: p-values (0, 0.001, 0.01, 0.05, 0.1, 1) <=> symbols(***, **, *, .).

Figure 4. Chart showing the correlation between the frequency of the variables related to resilience as measured from the annual reports. Each significance level is associated to a symbol: p-values (0, 0.001, 0.01, 0.05, 0.1, 1) <=> symbols (***, **, *, .)

The chart shows there is sufficient evidence to conclude a significant linear relationship between the following variables mentioned in the annual reports:

1. Technology and operation: Positive correlation, r = 0.58, p ≤ 0.001 2. Technology and security: Positive correlation, r = 0.44, p ≤ 0.01 3. Technology and resilience: Positive correlation, r = 0.4, p ≤ 0.01 4. Operation and security: Positive correlation, r = 0.44, p ≤ 0.01 5. Operation and outsourcing: Positive correlation, r = 0.61, p = 0 6. Bcp and security: Positive correlation, r = 0.5, p ≤ 0.001 7. Bcp and resilience: Positive correlation, r = 0.41, p ≤ 0.01 8. Security and outsourcing: Positive correlation, r = 0.6, p ≤ 0.001

The research shows that there exists a significant relationship between the mention of resilience and technology, though the correlation is only 0.40. The correlation between resilience and operation was found to be only 0.30 and not significant enough to accept that a linear relationship existed.

The study sought to evaluate whether there was a relationship between the bank's operating expense and the mention of operational resilience to understand if banks with higher operating expenses were more focussed on operational resilience. The analysis showed a low correlation of 0.14

Figure 4. Chart showing the correlation between the frequency of the variables related to resilience asmeasured from the annual reports. Each significance level is associated to a symbol: p-values (0, 0.001,0.01, 0.05, 0.1, 1) <=> symbols (***, **, *, .).

The chart shows there is sufficient evidence to conclude a significant linear relationship betweenthe following variables mentioned in the annual reports:

Risks 2020, 8, 128 13 of 15

1. Technology and operation: Positive correlation, r = 0.58, p ≤ 0.0012. Technology and security: Positive correlation, r = 0.44, p ≤ 0.013. Technology and resilience: Positive correlation, r = 0.4, p ≤ 0.014. Operation and security: Positive correlation, r = 0.44, p ≤ 0.015. Operation and outsourcing: Positive correlation, r = 0.61, p = 06. Bcp and security: Positive correlation, r = 0.5, p ≤ 0.0017. Bcp and resilience: Positive correlation, r = 0.41, p ≤ 0.018. Security and outsourcing: Positive correlation, r = 0.6, p ≤ 0.001

The research shows that there exists a significant relationship between the mention of resilienceand technology, though the correlation is only 0.40. The correlation between resilience and operationwas found to be only 0.30 and not significant enough to accept that a linear relationship existed.

The study sought to evaluate whether there was a relationship between the bank’s operatingexpense and the mention of operational resilience to understand if banks with higher operatingexpenses were more focussed on operational resilience. The analysis showed a low correlation of 0.14(p-value > 0.05) between expense and resilience, showing that no relationship existed between themention of the term resilience and the expense of the bank.

The text adjoining the word resilience (only related to operational resilience) was extracted,and a word cloud was created to visualize the associations. Figure 5 shows the word cloud and theassociations of the words frequently appearing with operational resilience.

Risks 2020, 8, x FOR PEER REVIEW 14 of 16

(p-value > 0.05) between expense and resilience, showing that no relationship existed between the mention of the term resilience and the expense of the bank.

The text adjoining the word resilience (only related to operational resilience) was extracted, and a word cloud was created to visualize the associations. Figure 5 shows the word cloud and the associations of the words frequently appearing with operational resilience.

Figure 5. Word cloud for the text around operational resilience.

The research focused only the GSIB banks, and due to file formats and language, the analysis could be done on only 26 banks. The APAC region has many countries and banking regulators and the GSIBs are concentrated only in two countries, which would have had an impact on the regional analysis. While due care has been taken in identifying the terms for the search and analysis, some variants could have been missed. To search for terms related to cybersecurity, ‘security’ was not used as this may have also captured references to financial security. This exclusion may have resulted in a few terms not being mined.

5. Conclusions

After the events of 2007–2008 provided evidence that significant systemic risks could emerge and escalate from within the financial system, there was extensive regulatory guidance from the regulators to ensure financial resilience. Regulators have moved earlier in the area of operational resilience, recognizing the rapid digital transformation at banks and the parallel advancing threat landscape. Many regulators have recently issued consultative documents for enhancing non-financial resilience. The extent of regulatory guidance for operational resilience still lags behind what is available for financial resilience. The BoE, PRA and FCA have been the front runners, issuing a comprehensive document for operational resilience; the BIS has only recently issued a dedicated document on operational resilience. Most of the regulatory publications on resiliency are more focused on cybersecurity. While this is the most significant threat, operational resiliency is much deeper and complex, and there is a need to have more comprehensive regulatory guidance to ensure a truly operationally resilient bank and consequently an operationally resilient financial system. Comprehensive regulatory guidance will ensure that the efforts are not overtly focused on one threat area, resulting in siloed control capabilities, defeating the intended objectives of resilience. Regulatory publications should also include guidance to manage risks from new and emerging technologies and operating models. While a few regulators have addressed cyber resiliency testing, the area of operational resiliency testing would benefit from further guidance.

This paper analyses the extent to which banks, namely the GSIBs, have made disclosures, in their annual reports, with regards to operational resilience on whether and, if so, the extent to which companies make disclosures around operational resilience within their annual reports. The analyses of GSIB annual reports show that the extent to which operational resilience is reported on is limited.

Figure 5. Word cloud for the text around operational resilience.

The research focused only the GSIB banks, and due to file formats and language, the analysiscould be done on only 26 banks. The APAC region has many countries and banking regulators and theGSIBs are concentrated only in two countries, which would have had an impact on the regional analysis.While due care has been taken in identifying the terms for the search and analysis, some variants couldhave been missed. To search for terms related to cybersecurity, ‘security’ was not used as this mayhave also captured references to financial security. This exclusion may have resulted in a few terms notbeing mined.

5. Conclusions

After the events of 2007–2008 provided evidence that significant systemic risks could emergeand escalate from within the financial system, there was extensive regulatory guidance from theregulators to ensure financial resilience. Regulators have moved earlier in the area of operationalresilience, recognizing the rapid digital transformation at banks and the parallel advancing threatlandscape. Many regulators have recently issued consultative documents for enhancing non-financial

Risks 2020, 8, 128 14 of 15

resilience. The extent of regulatory guidance for operational resilience still lags behind what isavailable for financial resilience. The BoE, PRA and FCA have been the front runners, issuing acomprehensive document for operational resilience; the BIS has only recently issued a dedicateddocument on operational resilience. Most of the regulatory publications on resiliency are morefocused on cybersecurity. While this is the most significant threat, operational resiliency is muchdeeper and complex, and there is a need to have more comprehensive regulatory guidance to ensurea truly operationally resilient bank and consequently an operationally resilient financial system.Comprehensive regulatory guidance will ensure that the efforts are not overtly focused on one threatarea, resulting in siloed control capabilities, defeating the intended objectives of resilience. Regulatorypublications should also include guidance to manage risks from new and emerging technologiesand operating models. While a few regulators have addressed cyber resiliency testing, the area ofoperational resiliency testing would benefit from further guidance.

This paper analyses the extent to which banks, namely the GSIBs, have made disclosures, in theirannual reports, with regards to operational resilience on whether and, if so, the extent to whichcompanies make disclosures around operational resilience within their annual reports. The analyses ofGSIB annual reports show that the extent to which operational resilience is reported on is limited. Thereare disparities in the reporting of operational resilience in terms covered, the number of times referredto and the extent to which the various topics are covered. While all the banks analysed had a broadmention of technology and operation in the annual report, operational resilience was mentioned onlyby 62% of the banks. Security and outsourcing were mentioned in annual reports of 96% of the banks.The reporting by banks in certain regions is far better than other regions, and this can be attributedto the extent of regulatory guidance available in the respective regions. A significant relationshipwas found between the pairs—technology and operation; technology and security; technology andresilience; operation and security; operation and outsourcing; security and outsourcing. There did notappear to be a significant relationship between the operating expense of a bank and the mention ofoperational resilience.

There needs to be better guidance for disclosure by banks who have an obligation to disclosethe risks related to operational resilience to their external stakeholders such as investors, clients,business partners. Standards for disclosures should enable an investor to compare the resiliencyrisks between different banks. The industry, especially banks that operate globally, would greatlybenefit from harmonization of the regulatory requirements related to operational resiliency acrossjurisdictions. A more consistent way to measure and report operational resiliency risks would benefitthe stakeholders of the banks by providing a comparative view of the resiliency risk of the bank.Regulators, through a harmonization of the guidance around operational resilience, can drive betterstandardization of practices such as disclosures and reporting, ensuring a framework that is moreefficient and effective in compliance.

The area of operational resiliency will also benefit from additional research, especially aroundareas of measuring and reporting operational resilience and comprehensive operational resiliencytesting. This study highlights the disparity in disclosures on operational resilience and also provides abasis for future empirical research on operational resilience in banking.

Funding: This research received no external funding.

Conflicts of Interest: The author declares no conflict of interest.

References

Basel Committee on Banking Supervision. 2018. Cyber-Resilience: Range of Practices. Basel: Bank for InternationalSettlements.

Bradenburg, Rico, Tom Ivell, Evan Sekeris, Matthew Gruber, and Paul Lewis. 2019. Striving For OperationalResilience. New York: Oliver Wyman.

Risks 2020, 8, 128 15 of 15

Canada Office of the Superintendent of Financial Institutions. 2020. Developing Financial Sector Resilience in aDigital World. Ottawa: Canada Office of the Superintendent of Financial Institutions.

Caparusso, John, Yingyuan Chen, Peter Dattels, Rohit Goel, and Paul Hiebert. 2019. Post-Crisis Changes in GlobalBank Business Models: A New Taxonomy. IMF Working Papers. Washington, DC: International Monetary Fund.[CrossRef]

Carstens, Agustín. 2017. The Nature of Evolving Risks to Financial Stability. Paper presented at the 53rd SEACENGovernors’ Conference/High-Level Seminar and 37th Meeting of the SEACEN Board of Governors, Bangkok,Thailand, December 15–17; Bangkok: BIS, pp. 13–14.

Dowell-Jones, Mary, and Ross Buckley. 2016. Reconceiving resilience: A new guiding principle for financialregulation. Northwestern Journal of International Law & Business 37: 1.

European Commission. 2019. Digital Operational Resilience Framework for Financial Services: Making the EUFinancial Sector More. Available online: https://ec.europa.eu/info/publications/finance-consultations-2019-financial-services-digital- (accessed on 9 August 2020).

Finextra, and IBM. 2016. How to Get Ahead on Operational Resilience: Strategies for Financial Institutions. London:Finextra Research Ltd.

FSB. 2019. 2019 List of Global Systemically Important Banks (G-SIBs). Available online: https://www.bis.org/bcbs/publ/d296.htm (accessed on 16 September 2020).

Hernández, Pablo. 2019. Financial Technology: The 150-Year Revolution. Paper presented at the 22nd EuroFinance Week, Frankfurt, Germany, November 18–22; Frankfurt: BIS, pp. 1–11.

Infosys Ltd. 2019. Designing for Operational Resilience. In Blast Effects on Buildings. London: ICE Publishing.[CrossRef]

KPMG. 2019. Operational Resilience in Financial Services. Honkong: KPMG.Lautenschläger, Sabine. 2018. Sabine Lautenschläger: Cyber Resilience—Objectives and Tools. In Euro Cyber

Resilience Board for Pan-European Financial Infrastructures. Frankfurt, BIS central bankers’ speeches.Lebaka, L., J. Hernantes, and J.M. Sarriegi. 2016. A holistic framework for building critical infrastructure resilience.

Technological Forecasting & Social Change 103: 21–33.PWC. 2019. Operational Resilience: Your Swiss Army Knife to Survive the next Crisis. In The Art of Organisational

Resilience. London: Routledge. [CrossRef]Tapper, David. 2013. Lack of Operational Resilience Will Undermine Enterprise Competitiveness: A Strategy for

Availability. Framingham: IDC.Walker, Brian, Crawford S. Holling, Stephen R. Carpenter, and Ann Kinzig. 2004. Resilience, adaptability and

transformability in social–ecological systems. Ecology and Society 9: 2. [CrossRef]

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutionalaffiliations.

© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open accessarticle distributed under the terms and conditions of the Creative Commons Attribution(CC BY) license (http://creativecommons.org/licenses/by/4.0/).